Topic: Domain server for Win2k computers

[twijtzes]

Hello all,

Finally we have decided to move from SME server as a workgroup controller to SME server as a domain controller. In the past years the SME server worked flawlessly. Therefore I think I must be doing something wrong. Having struggled through more than a few posts here, I give up and play the dumb blond.

In short, the windows machine (Win2k sp4) claims that my admin account is disabled/switched off when I try to log on to the domain for the first time after switchting from workgroup (dutch: werkgroep) to domain. After entering the admin/password combination, I get an error message

The exact message that I get from the windows machine is:

Code: [Select]

De volgende fout is opgetreden tijdens het lid worden van domein FOODSAFE:

Aanmeldingsfout: account is momenteel uitgeschakeld
I think that translates to

Code: [Select]

The folowing error has occured while trying to joint the domain FOODSAFE:

Login error: account is currently disabled (or switched off)

However:
I can log in on the server manager using my admin account, see emails etc etc. It all seems to works properly.

As I said, probably I am missing something, forgetting something. Please help.


Thanks for helping
Taco

The samba log says

Code: [Select]

[2008/11/28 10:27:40, 1] auth/auth_sam.c:sam_account_ok(142)
 sam_account_ok: Account for user 'admin' was disabled.



 

[David Harper]

Have you installed the registry patch from http://yourserver/server-resources/ ?

[twijtzes]

Great....
That seemed to do the trick TXS

BUT
Now it is complaining that the group policies are different.. any ideas ?

Thanks
Taco

[David Harper]

Not really, but check out your server's NETLOGON share to see whether there are any ntconfig.pol or ntconfig.man files present.

SME uses NT4 style policies.

[twijtzes]

Hi David,

I guess the netlogon is not a regular share, as it does not show up when I try to connect to it using my network places

Using PUTTY and MC i went to /home/e-smith/files/samba and found three directories

/netlogon
/printers
/profiles

The /netlogon directory only contains a file netlogon.bat which is obviously intended to set drive mappings and so forth. For the rest it is empty.

/printers has several directories for differenet printer types. (useful for later.....)

/profiles has user directories such as my own. All directories are empty.

I cannot find the files that you mention (ntconfig.pol or ntconfig.man). Furthermore I did a search across the server (find file in MC) and found no such files.

What to do ?

thanks in advance,
Taco

[David Harper]

Well if there are no policies being set at the server level, you have come across a Win2K workstation issue, which, unfortunately, this forum is not really designed to address.

[gzartman]

In short, the windows machine (Win2k sp4) claims that my admin account is disabled/switched off when I try to log on to the domain for the first time after switchting from workgroup (dutch: werkgroep) to domain. After entering the admin/password combination, I get an error message

It's a little unclear if you are having problems with your windows client administrator accounts or the SME admin account.

Speaking in general terms, when you switched from a peer-to-peer (workgroup) network to domain network, you introduced another authentication layer to your setup.  With a windows domain network, you have machine (or local) authentication and domain (or network) authentication.  Whereas, with a peer-to-peer (workgroup) network, you are only dealing with the machine (local) authentication.

When you log into a windows domain you are granted certain network privileges and certain machine (local) privileges, based on the domain group(s) which you are a member of.   The standard domain group Domain Admins is the group that is granted both domain administrator privileges and local machine administrator privileges.

Out-of-the-box, SME is configured so that the only SME user who is a member of the Domain Admins group is the SME "admin" user.  You can change this by accessing the SME Groups server-manager panel and defining a group called something like "da" with the description "Domain Admins"    This will map the SME group "da" to the domain group Domain Admins.  Any SME users you add to the group "da" will be granted Domain Admin privileges when they log into the domain.

My guess is that you need to re-tool your thinking.  With a domain network, you don't need local machine accounts.  All authentication is done by SME.  In fact, having local machine accounts can result in authentication conflicts if the same username is both a local username and a domain username (perhaps this is part of the issue you are having).   Try removing all of the local machine accounts you had defined in your previous setup, create the user accounts in SME, then try logging in. 

[twijtzes]

Hi Guys,

Thank you for your help so far. I will try a complete fresh install of win2k and see if that works. It should as there are hundreds of people using the SME as domain contoller. When it works; i know what to do ...... Only 35 machines to go.

Thank you very much for now, i'll be back......

Taco

[gzartman]

Hi Guys,

Thank you for your help so far. I will try a complete fresh install of win2k and see if that works. It should as there are hundreds of people using the SME as domain contoller. When it works; i know what to do ...... Only 35 machines to go.
Taco

That is an incredible waste of time.  It is very rarely necessary to reinstall windows due to network login issues.

[Boris]

Before changing your windows workstation from workgroup "FOODSAFE" to domain "FOODSAFE", change them to temporary workgroup "TEMP", then restart windows. After restart join domain "FOODSAFE" using user admin and your-sme-admin-password.

[gzartman]

Before changing your windows workstation from workgroup "FOODSAFE" to domain "FOODSAFE", change them to temporary workgroup "TEMP", then restart windows. After restart join domain "FOODSAFE" using user admin and your-sme-admin-password.

Very good point Boris.

Windows is funny that way.  Typically you are forced to drop to a temp work group any time you change the machine name or going from a domain->workgroup or visa-versa, as you've pointed out.

[Boris]

Windows is funny that way.

In this case its not the Windows, but samba's behavior. It doesn't  like multiple connections with different credentials to the server. Changing to temporary workgroup name assures that no cached connections are automatically established upon restart.

[gzartman]

In this case its not the Windows, but samba's behavior. It doesn't  like multiple connections with different credentials to the server. Changing to temporary workgroup name assures that no cached connections are automatically established upon restart.

No, the problem is with Windows.  I can change any configuration parameter in samba and make it active by restarting the nmbd, smbd, and possible winbindd daemons.  No reboot required.

This has nothing to do with cached information. 

[Boris]

Greg,
I am not sure if Linux vs Windows discussion is really needed. As a professional I happily use whatever is appropriate for the job, just considering the strength and limitations of different systems.

[CharlieBrady]

I am not sure if Linux vs Windows discussion is really needed.

I don't see any such discussion.